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thenticating the card, against deriving the secret key used from statistical analysis of its information leaking away to the outside 
world in the event of cryptographic operations, such as power-consumption data, electromagnetic radiation and the like. The card 
is provided with at least a shift register having a linear and a non-linear feedback funtion for creating cryptographic algorithms. An 
algorithm is applied to the card, which is constructed in such a manner that the collection of values of recorded leak-information 
signals is resistant to deriving the secret key from statistical analysis of said values. Advantageously, after the key has been loaded 
into the shift register, the shift register clocks on, using at least the linear-feedback function. A suitable alternative is loading only 
the key into the shift register in the event of a fixed content of the shift register. 
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A method for protecting a portable card* 

The invention relates to a method for protecting a portable 
card, provided with at least a crypto algorithm for enciphering data 
and/or authenticating the card, against deriving the secret key used 
from statistical analysis of its information leaking away to the 
outside world in the event of cryptographic operations, such as power 
consumption data, electromagnetic radiation and the like, the card 
being provided with at least a shift register having a linear and a 
non-linear feedback function for creating cryptographic algorithms, 
the method comprising loading data to be processed and a secret key 
in the shift register of the card. 

Using a secret key to process input information and/or to 
produce output information is generally known in the event of 
cryptographic devices. Using feedback shift registers is also 
generally known for creating cryptographic algorithms. 

In this connection, data to be consecutively processed and a 
secret key are loaded into one or more shift registers. Here, the 
sequence of loading data and the key is random. 

Subsequently, the output of the shift register and possibly the 
the shift -register contents are applied, using linear and/or non- 
linear-feedback, to determine the output of the entire algorithm. 
The input of the shift register then, apart from the data and the 
key, also consists of a linear and a non-linear combination of the 
shift-register contents. 

Such shift registers are generally applied in the event of 
portable cards, such as chip cards, calling cards, smart-card 
products and the like. 

Since the secret key is not known to unauthorised third parties, 
it is basically impossible to derive either the input or the key from 
the output of the algorithm. 

Now it has become apparent, however, that for chip cards and the 
like it is possible, in the event of computations, to derive the 
secret key used from a statistical analysis of the power consumption 
of the card. Such methods are known as "Differential Power Analysis" 
(= DPA) and are described in the Internet publication DPA Technical 
Information: "Introduction to Differential Power Analysis and Related 
Attacks" by P. Kocher et al., Cryptography Research, San Francisco, 
1998. 
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Said methods are based on the fact that, in practice, with 
cryptographic operations, information is leaking away to the outside 
world in the form of power -consumption data, electromagnetic 
radiation and the like. 

Thus, logical microprocessor units show regular transistor- 
switching patterns which externally (i.e., outside the 
microprocessor) noticeably produce electrical behaviour. 

In this manner, it is possible to identify macro 
characteristics, such as microprocessor activity, by recording the 
power consumption and deriving information on the secret key used by 
way of statistical analysis of the data thus obtained. 

The invention now overcomes said drawback and provides a 
portable card which is resistant to such analyses and therefore 
provides a card which is safe to use. 

The method according to the invention is characterised in that 
an algorithm is applied to the card which is constructed in such a 
manner that the collection of values of recorded leak- information 
signals is resistant to deriving the secret key by way of statistical 
analysis of said values. Advantageously, after loading the key into 
the shift register, the shift register is subsequently clocked on, 
during a specific period of time, several times, at least making use 
of the linear feedback function. 

A suitable alternative according to the invention is loading 
only the key into the shift register in the event of a fixed content 
of the shift register. 

In a first advantageous embodiment of the invention, there is 
first loaded the key, subsequently clocking on is performed, after 
which the data is loaded. 

In another advantageous embodiment of the invention, the key is first 
loaded, subsequently the data is loaded into the shift register, 
making exclusive use of the linear feedback function and subsequently 
the clocking on is performed. 

In yet another advantageous embodiment of the invention, the 
data is first loaded, subsequently the key is loaded, making 
exclusive use of the linear feedback function, whereafter clocking on 
is performed. 

The invention will now be further explained with reference to 
the drawing and the description by way of non- limiting example. 

FIG. 1 schematically shows a typical shift register as applied 
with a portable card, such as a chip card and the like. 



WO 01/05090 



PCT/EP00/04627 



FIG. 2 schematically shows an advantageous solution according to 
the invention, and 

FIG. 3 schematically shows another advantageous solution 
according to the invention. 
5 Referring now to FIG. 1, there is shown a feedback shift 

register 1, which is applied in any way suitable for that purpose to 
a portable card, not shown for simplicity's sake, such as a chip 
card, calling card and the like, having an input 2 and an output 3. 

The feedback shift register 1 comprises a shift register la, as 
10 well as a feedback function, which in this case consists of a linear 

function lb and a non-linear function lc having an output 3a. Such a 
feedback shift register, due to its relatively low costs, is eligible 
for being applied to, e.g., calling cards and the like. The non- 
linear function may see to it that each bit depends on each number of 
15 key bits. 

Shift registers are generally known and their operation will 
therefore not be described in detail. The shift register la consists 
of a series of bits. The length of a shift register is expressed in 
bits; in the event of a length of n bits, it is called an n-bit shift 
20 register. 

Each time a bit is required, all bits in the shift register are 
shifted 1 bit to the right. The new left bit is calculated as a 
function of the bits remaining in the register and the input. 

The output of the shift register is 1 bit, often the least 
25 significant bit. The period of a shift register is the length of the 

output series before repetition starts. 

Data is loaded by way of the input 2; the key is loaded, and 
results are produced by way of the output 3 or, if so desired, 3a. 
In a similar situation, however, there may be carried out an attack 
30 on the secret key used by way of DPA, based on power variations of 

the system in the event of computations via statistical analysis of 
"leak data" and error- correcting techniques. 

In this connection, it should be noted that, from a security 
viewpoint, it is desirable to load the key and the data non-linearly 
35 into the shift register. It has become apparent, however, that in 

the event of calculations, non-linearly loading the key and the data 
into the shift register increases the chance of deriving the secret 
key used through statistical analysis of the power consumption. 

In FIG. 2 and FIG. 3, the same reference numerals as used in 
40 FIG. 1 refer to the same components. 
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FIG. 2 now shows an advantageous embodiment of the invention, 
the key first being loaded into the shift register, subsequently data 
being loaded, at least initially, exclusively using the linear- 
feedback function, and then the clocking on (e.g., 100 times or over) 
of the shift register taking place. During loading the data and, if 
so desired, the subsequent clocking on, the non- linear function of 
the shift register is deactivated until the shift register has been 
sufficiently clocked on. Then, the non- linear function is switched 
on once again. 

In doing so, the linear- feedback function lb continues to be 
active. 

Deactivating and activating, as the case may be, the non- linear 
function lc may take place in any way suitable for that purpose, 
e.g., using switches. 

The shift register la is advantageously clocked on so many times 
that the content of all elements of the shift register depends on a 
large portion of the bits of the key. 

In another advantageous embodiment, after loading the key there 
is first clocked on until the content of all elements of the shift 
register depends on a large portion of the bits of the key. Only 
after said clocking on, the data in the shift register la is 
permitted to be loaded and non- linear operations on the content of 
the shift register are also permitted to be effected. 

Clocking on takes place in any way known to those skilled in the 
art and will therefore not be explained in further detail. 

For completeness' sake, it should be noted that DPA is only 
capable of being carried out if there takes place a non- linear 
operation of the data with the key. Since, in addition, the effort 
required for DPA rises exponentially with the number of key bits on 
which the bits in the shift register depend, it is achieved in this 
manner that, in the event of sufficient interim clocking on of the 
shift register la, applying DPA does not result in short-term 
success . 

In FIG. 3, there is shown an advantageous variant of the 
invention, the key having been loaded with a fixed content of the 
shift register (which may also consist purely of zeros) and clocking 
on the shift register taking place with an active linear and an 
active non-linear feedback function, but without data being loaded 
into the shift register during the clocking-on period. In doing so, 
the input of data into the shift register after loading the key is 
disconnected from the shift register and is reinstated again after a 
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specific clocking -on period. Due to the fixed content of the shift 
register, it is not permitted to apply any modifications and an 
unauthorised third party shall not be capable of determining a 
collection of different values of leak data, such as power 
consumption, and subject it to statistical analysis in order to 
retrieve the key. 

In this solution according to the invention, the key may 
therefore be loaded non- linearly , and deactivating the non- linear 
feedback function will not be required. 

In another advantageous embodiment of the invention, in the 
event that the key, after data has been loaded into the shift 
register, is not loaded with the fixed content of the shift register, 
the key is loaded into the shift register using only the linear- 
feedback function, whereafter subsequent clocking on is permitted to 
take place. 

After the aforementioned description, various modifications of 
the method according to the invention will become apparent to those 
skilled in the art. 

Such modifications shall be deemed to fall within the scope of 
the invention. 
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CLAIMS 

1. A method for protecting a portable card provided with at least a 
crypto algorithm for enciphering data and/or authenticating the card 
against deriving the secret key used from statistical analysis of its 
information leaking away to the outside world in the event of 
cryptographic operations, such as power -consumption data, 
electromagnetic radiation and the like, the card being provided with 
at least a shift register having a linear and a non-linear feedback 
function for creating cryptographic algorithms, the method comprising 
loading data to be processed and a secret key in the shift register 

of the card, characterised in that an algorithm is applied to the 
card which is constructed in such a manner that the collection of 
values of recorded leak- information signals is resistant to deriving 
the secret key by way of statistical analysis of said values. 

2. The method according to claim 1, characterised in that, after 
the key has been loaded into the shift register, the shift register 
subsequently, during a specific period, clocks on several times, at 
least using the linear- feedback function. 

3. The method according to claim 2, characterised in that the shift 
register is clocked on for so long that the content of all elements 

of the shift register largely depend on the bits of the key. 

4. The method according to claim 2 or 3, characterised in that, 
after the key has been loaded and after clocking on, the data is 
subsequently loaded into the shift register. 

5. The method according to either of the claims 2 and 3, 
characterised in that after the key has been loaded into the shift 
register, the data is loaded using only the linear -feedback function 
and the shift register subsequently clocks on. 

6. The method according to any one of claims 2 to 5, characterised 
in that clocking on the shift register takes place with an active 
linear- feedback function and a non-active, non-linear feedback 
function of the shift register. 
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7. The method according to any one of claims 2 to 6, characterised 
in that clocking on the shift register takes place with an active 
linear and an active non- linear feedback function of the shift 
register, no data being loaded into the shift register, however, 
during, or prior to, the clocking-on period or prior to loading the 
key . 

8. The method according to any one of claims 5 to 7, characterised 
in that the non- linear feedback function is deactivated by 
disconnecting the connections thereof with the shift register as well 
as, if so desired, with the input. 

9. The method according to any one of the claims 4 to 8, 
characterised in that the input of data into the shift register after 
loading the key into the shift register is disconnected from the 
shift register and is reinstated after the aforementioned specific 
period. 

10. The method according to any one of the preceding claims 1 to 9, 
characterised in that the key is only loaded into the shift register 
in the event of a fixed content of the shift register. 

11. The method according to any one of the preceding claims 1 to 9, 
characterised in that, if the key is not loaded with a fixed content 
of the shift register, the key is loaded into the shift register 
using only the linear -feedback function, whereafter clocking on takes 
place. 
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